Free Support Forum -

CryptographicException when trying to sign a PDF document

Using PDF version the following occurs when trying to sign a PDF document:

System.Security.Cryptography.CryptographicException: An internal error occurred. at System.Security.Cryptography.CryptographicException.ThrowCryptogaphicException(Int32 hr) at System.Security.Cryptography.X509Certificates.X509Utils._LoadCertFromBlob(Byte[] rawData, IntPtr password, UInt32 dwFlags, Boolean persistKeySet, SafeCertContextHandle& pCertCtx) at System.Security.Cryptography.X509Certificates.X509Certificate.LoadCertificateFromBlob(Byte[] rawData, Object password, X509KeyStorageFlags keyStorageFlags) at System.Security.Cryptography.X509Certificates.X509Certificate2…ctor(Byte[] rawData, String password) at .?.(Byte[] , String ) at .?..ctor(Stream , String ) at Aspose.Pdf.InteractiveFeatures.Forms.SignatureField.Sign(Signature signature, Stream pfx, String pass) at Aspose.Pdf.Facades.PdfFileSignature.(Stream , Stream ) at …SignPDF(…) in …\PDFtoPNG.cs:line 267

On the same machine using the same certificate; the following allows the certificate to be loaded:

System.Security.Cryptography.X509Certificates.X509Certificate cert = new System.Security.Cryptography.X509Certificates.X509Certificate(“filename”, “password”, System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.MachineKeySet);

Is there any property I can set to change the X509KeyStorageFlags parameter for the System.Security.Cryptography.X509Certificates.X509Certificate2 Constructor?


Is there any property I can set to apply a System.Security.Cryptography.X509Certificates.X509Certificate2 to the Aspose.Pdf.InteractiveFeatures.Forms.PKCS7 class?

Hi Roy,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Thank you for considering Aspose.

Please share your template file and certificate file with us to help us test the issue at our end. We will check it and get back to you soon.

Sorry for the inconvenience,

I have created a test application and loaded it at:

The first link on the development site, all the operations work.

The second link on the Demo site, the signing does not work.

The source code:


using System;

using System.Collections.Generic;

using System.Web;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.IO;

using System.Web.Configuration;

using Aspose.Pdf.Facades;

using Aspose.Pdf.InteractiveFeatures.Forms;

namespace Aspose


public partial class _Default : System.Web.UI.Page


protected void Page_Load(object sender, EventArgs e)



protected void cbProcess_Callback(object source, DevExpress.Web.ASPxCallback.CallbackEventArgs e)




if (e.Parameter.ToLower() == “pdf”)


Aspose.Pdf.License lic = new Aspose.Pdf.License();

lic.Embedded = true;


Aspose.Pdf.Document pdfDocument = new Aspose.Pdf.Document(MapPath(aPDFsrc.HRef));

//create PdfFileSignature object and bind input and output PDF files

PdfFileSignature pdfSign = new PdfFileSignature(pdfDocument);

//create any of the three signature types

//PKCS1 signature = new PKCS1(WebConfigurationManager.AppSettings[“signingpfx”], WebConfigurationManager.AppSettings[“signing”]); // PKCS#1 or

PKCS7 signature = new PKCS7(WebConfigurationManager.AppSettings[“signingpfx”], WebConfigurationManager.AppSettings[“signing”]); // PKCS#7 or

//PKCS7Detached signature = new PKCS7Detached(WebConfigurationManager.AppSettings[“signingpfx”], WebConfigurationManager.AppSettings[“signing”]); // PKCS#7 detached

//set signature appearance

pdfSign.SignatureAppearance = MapPath(aPNGsrc.HRef);

System.Drawing.Rectangle rect = new System.Drawing.Rectangle(0, 0, 312, 156);

pdfSign.Sign(1, “Debugging PDF signing via web page”, “Roy Eaton”, “Test web site”, true, rect, signature);

//save output PDF file


e.Result = string.Format(“Completed; the link {0} is valid”, aPDFdest.InnerText);




System.Security.Cryptography.X509Certificates.X509KeyStorageFlags ksf;

switch (e.Parameter.ToLower())


case “m”: ksf = System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.MachineKeySet; break;

case “e”: ksf = System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.Exportable; break;

case “p”: ksf = System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.PersistKeySet; break;

case “uk”: ksf = System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.UserKeySet; break;

case “up”: ksf = System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.UserProtected; break;

default: ksf = System.Security.Cryptography.X509Certificates.X509KeyStorageFlags.DefaultKeySet; break;


System.Security.Cryptography.X509Certificates.X509Certificate2 cert = new System.Security.Cryptography.X509Certificates.X509Certificate2(WebConfigurationManager.AppSettings[“signingpfx”], WebConfigurationManager.AppSettings[“signing”], ksf);

e.Result = cert.ToString(true);



catch (Exception ee)


e.Result = ee.ToString();





Hi Roy,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Thank you for the details.

However, I am not clear about your issue. Are you using the same application in the above URLs you have shared? As you mentioned that the process is working fine on one server and not on the other, so please confirm that you are using same application on both the servers. If application is same then it most probably is environment related issue. Please share the system environment details with us i.e. OS, .NET Framework, 32 bit or 64 bit machine etc. Also, please share your sample application and certificate file with us to help us test the issue at our end.

Sorry for the inconvenience,

Development Test Machine:

Windows 2008 R2 Standard 64bit

IIS 7.5

.Net 3.5

Demo Machine

Windows 2008 R2 Web 64bit

IIS 7.5

.Net 3.5

The urls point to the same web application, pdf, certificate, image.

From my search of the web with Google, I have found references to not being able to load certificates with the User Ket Set when running from IIS.

The solution given was to use the Machine Ket Set.

So far I have not found a way of changing the load method of the certificate when signing the PDF document.

I have not included the Aspose.pdf.dll in the bin directory.

Hi Roy,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Thank you for sharing the application.

I checked your issue over my machine (Windows 7, 32 bit and .NET Framework 3.5) and using “Test PDF Signing” button creates the PDF fine with signature (I am using your shared code with certificate files). I will further test this issue by creating similar environment as your shared details and will share the results with you. Also, please confirm that you are facing the issue in “Test PDF Signing” process under your environment (as I don’t see the code for other scenarios in your shared application.

Sorry for the inconvenience,

The fix for this problem was the following:

Access the target machine using the IIS login user for the web site.

Change the IIS worker process to load the full user profile.

Thus the current version of the PDF signing does not work without the full user profile being loaded by the IIS worker process.

Hi Roy,<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Thank you for your feedback and we are happy that you are able to solve your problem at your end.

Please feel free to contact support in case you need any further assistance.

Thank You & Best Regards,